Aladdin Ghostscript creates insecure temporary files allowing a local user to create symbolic links to other files

Overview

Alladin Ghostscript, a previewer for postscript files, creates temporary files with a predictable names. The creation allows attackers to use symbolic links to overwrite other files on the host.

Description

Alladin Ghostscript is a previewer for postscript files. It creates temporary files using the mktemp() call, which creates files with predictable names based on the process number for the process running Ghostscript. The prior existence and ownership of the temporary file is not checked by the mktemp() call.

---

Impact

By creating a symbolic link with the appropriate name, an attacker may overwrite any file writable by the user running Ghostscript. This is particularly dangerous for the root account, which could lead to overwriting of system files, including the password file, and raising of the attacker’s access privileges.

---

Solution

Apply vendor patches; see the Systems Affected section below.

---

Vendor Information

227312

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera __ Affected

Notified: November 22, 2000 Updated: June 26, 2001

Status

Affected

Vendor Statement

<http://www.caldera.com/support/security/advisories/CSSA-2000-041.0.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23227312 Feedback>).

Conectiva __ Affected

Notified: November 22, 2000 Updated: July 02, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/other_advisory-919.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23227312 Feedback>).

Debian __ Affected

Notified: November 22, 2000 Updated: July 02, 2001

Status

Affected

Vendor Statement

http://www.debian.org/security/2000/20001123

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23227312 Feedback>).

Immunix __ Affected

Notified: November 22, 2000 Updated: July 02, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/other_advisory-957.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23227312 Feedback>).

MandrakeSoft __ Affected

Notified: November 22, 2000 Updated: June 26, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/mandrake_advisory-914.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23227312 Feedback>).

RedHat __ Affected

Notified: November 22, 2000 Updated: June 26, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/redhat_advisory-909.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23227312 Feedback>).

SuSE __ Affected

Notified: November 15, 2000 Updated: August 21, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/suse_advisory-879.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23227312 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/1990&gt;
• <http://www.linuxsecurity.com/advisories/redhat_advisory-909.html&gt;
• <http://www.caldera.com/support/security/advisories/CSSA-2000-041.0.txt&gt;
• <http://www.linuxsecurity.com/advisories/mandrake_advisory-914.html&gt;
• <http://www.debian.org/security/2000/20001123&gt;
• <http://www.linuxsecurity.com/advisories/other_advisory-919.html&gt;
• <http://www.linuxsecurity.com/advisories/other_advisory-957.html&gt;
• <http://www.linuxsecurity.com/advisories/suse_advisory-879.html&gt;

Acknowledgements

Dr. Werner Fink of SuSE first reported this vulnerability.

This document was last modified by Tim Shimeall.

Other Information

CVE IDs:	CVE-2000-1162
Severity Metric:	4.05 Date Public: